diff options
| author | Evgeny Vereshchagin <evvers@ya.ru> | 2018-09-29 03:06:10 +0000 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2018-10-29 21:18:43 +0100 |
| commit | 86391f2741498c1d5bad8bfff89f85dcf43a1dc1 (patch) | |
| tree | 836d6afafd539383cb8af9cbf1497fd4fc515ad4 | |
| parent | d8f9054e9b9e677519e5c40ce1c6e4f7a9ae4db8 (diff) | |
| download | NetworkManager-86391f2741498c1d5bad8bfff89f85dcf43a1dc1.tar.gz | |
dhcp6: fix an off-by-one error in dhcp6_option_parse_domainname
==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88
READ of size 1 at 0x60200055fa9c thread T0
#0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29
#1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13
#2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29
#3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13
#4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21
#5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21
#6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21
#7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21
#8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9
#9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9
#10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3
#12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19
#13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5
#14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
#15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10
#16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928)
https://github.com/systemd/systemd/pull/10200
https://github.com/systemd/systemd/commit/b387d3c1327a3ad2a2509bd3d3491e674392ff21
(cherry picked from commit 7cb7cffc4962245a32e87017bcf264005c043250)
(cherry picked from commit cd3aacefdd0b91741b7b2e7b5ee5baab210addd9)
(cherry picked from commit 5b140a77bc7b01dc002dbf28a7a2507a27a63d7c)
(cherry picked from commit 0f25f47767794fb179edb9916566a208fbcfcb8f)
(cherry picked from commit c13e43979e10e636e3787bf85a4d56fa5187e70d)
(cherry picked from commit b7b2c8ad3829528eb24dacd91fac9056d731933a)
| -rw-r--r-- | src/systemd/src/libsystemd-network/dhcp6-option.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c index 3a77e34d57..d8812c36fd 100644 --- a/src/systemd/src/libsystemd-network/dhcp6-option.c +++ b/src/systemd/src/libsystemd-network/dhcp6-option.c @@ -366,7 +366,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char * /* Literal label */ label = (const char *)&optval[pos]; pos += c; - if (pos > optlen) + if (pos >= optlen) return -EMSGSIZE; if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) { |